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Amendments to the Claims: 

This listing of claims replaces all prior versions, and listings, of claims in this application. 
Listing of Claims: 

1 . (Currently Amended) A system for extracting information from network data, 
comprising: 

an input interface connected to at least one source of network data; and 
a network event sensor, communicating with the input interface, the network event sensor 
comprising 

an interpreter module, the interpreter module scanning the network data to generate 
logical groupings of the network data, and 

an assembler module, communicating with the interpreter mod ule, the assembler module 
scanning the logical groupings to generate at least one session object. 

wherein the network event sensor applies a lexical engine to the at least one session 
object to identify the at least one network event as at least one of a pr edetermined set of event 
types 

applying at l e ast a lexical engine to the network data to identify at least one network 

event. 

2. (Original) The system of claim 1 , wherein the at least one source of network data 
comprises an observation port connected to a network and continuously capturing network data 
from the network. 
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3. (Original) The system of claim 2, wherein the observation port comprises a network 
interface card. 

4. (Original) The system of claim 3, wherein the network comprises at least one of an 
Ethernet network, a token ring network, and a TCP/IP network. 

5. (Original) The system of claim 3, wherein the network interface card is invisible to the 
network. 

6. (Original) The system of claim 1, wherein the at least one source of network data 
comprises stored network data. 

7. (Original) The system of claim 6, wherein the stored network data comprise at least 
one of captured network files, Website mirrors, archives of Usenet files, and archives of email 
files. 

8. (Cancelled) 

9. (Currently Amended) The system of claim % 1, wherein the logical groupings 
comprise packets. 
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1 0. (Currently Amended) The system of claim & 1, wherein the interpreter module 
removes low- level encoding information from the network data to generate the logical 
groupings. 

11. (Original) The system of claim 1 0, wherein the low-level encoding information 
removed by the interpreter module comprises hardware addressing information. 

12. (Cancelled) 

13. (Currently Amended) The system of claim 12, wherein the at least one session object 
comprises at least one session file. 

14. (Currently Amended) The system of claim 12, wherein the assembler module scans 
the logical groupings by examining at least one of source address, destination address, sequence 
numbers, source port, and destination port to generate the at least one session object. 



15. (Cancelled) 
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16. (Currently Amended) The system of claim 1#, wherein the lexical engine detects the 
presence of at least one predefined keyword to identify the at least one of a predetermined set of 
event types. 

17. (Original) The system of claim 1 6, wherein the predetermined set of event types 
comprises at least one of TCP, IP, UDP, SMTP, HTTP, NNTP, FTP, TELNET, DNS, RIP, BGP, 
MAIL, NEWS, HTML, XML, PGP, S/MIME, POP, MAP, V-CARD, ICMP, NetBUI, IPX and 
SPX. 

18. (Original) The system of claim 16, wherein the lexical engine accumulates a total 
number of occurrences for the at least one predefined keyword to identify the event type. 

19. (Original) The system of claim 18, wherein the lexical engine applies a threshold to 
the number of occurrences to identify the event type. 

20. (Currently Amended) The system of claim 12, wherein the network event sensor 
applies the lexical engine recursively to identify more than one event type contained in the at 
least one session object. 
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21. (Currently Amended) The system of claim IS, further comprising an extractor 
module, the extractor module extracting the at least one network event from the at least one 
session object according to the at least one of a predetermined set of event types. 

22. (Original) The system of claim 21, wherein the extractor module comprises a library 
of extractor types, each of the extractor types corresponding to at least one of the at least one of a 
predetermined set of event types. 

23. (Original) The system of claim 22, wherein the extractor module stores a minimum 
subset of the network data to reconstruct the at least one network event. 

24. (Original) The system of claim 23, wherein the minimum subset of the network data 
is stored in a database. 

25. (Original) The system of claim 24, further comprising a presentation module, 
communicating with the database, the presentation module querying the database for information 
related to the at least one network event. 

26. (Original) The system of claim 1, wherein the network event sensor also applies a 
port detection engine to the network data to identify the at least one network event. 
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27. (Original) The system of claim 1, wherein the at least one source of network data 
comprises a plurality of sources of network data. 

28. (Currently Amended) A method for extracting information from network data, 
comprising the steps of: 

i 

receiving network data from at least one source of network data; and 
scanning the network data to generate logical grou pings of the network data; 
scanning the logical groupings to generate at lea st one session object: and 
applying at least a lexical engine to the network data at least one session object to identify 
at least one network event. 

29. (Original) The method of claim 28, wherein the at least one source of network data 
comprises an observation port connected to a network and continuously capturing network data 
from the network. 

. 30. (Original) The method of claim 29, wherein the observation port comprises a 
network interface card. 

31. (Original) The method of claim 30, wherein the network comprises at least one of an 
Ethernet network, a token ring network, and a TCP/IP network. 
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32. (Original) The method of claim 30, wherein the network interface card is invisible to 
the network. 

33. (Original) The method of claim 28, wherein the at least one source of network data 
comprises stored network data. 

34. (Original) The method of claim 33, wherein the stored network data comprise at least 
one of captured network files, Website mirrors, archives of Usenet files, and archives of email 
files. 

35. (Cancelled) 

36. (Currently Amended) The method of claim 35 28, wherein the logical groupings 
comprise packets. 

37. (Currently Amended) The method of claim 34 28, further comprising a step of d) 
removing low level encoding information from the network data to generate the logical 
groupings. 

38. (Original) The method of claim 37, wherein the low-level encoding information 
comprises hardware addressing information. 
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39. (Cancelled) 

40. (Currently Amended) The method of claim 39 1, wherein the at least one session 
object comprises at least one session file. 

41. (Currently Amended) The method of claim 39 1, wherein the step (e) of scanning the 
logical groupings comprises a step of f) examining at least one of source address, destination 
address, sequence numbers, source port, and destination port to generate the at least one session 
object. 

42. (Currently Amended) The method of claim 39 1, further comprising a step of g) 
identifying the at least one network event as at least one of a predetermined set of event types. 

43. (Currently Amended) The method of claim 42 wherein the step (g) of identifying 
comprises a step of (h) detecting the presence of at least one predefined keyword to identify the 
at least one of a predetermined set of event types. 



44. (Original) The method of claim 43, wherein the predetermined set of event types 
ses at least one of TCP, IP, UDP, SMTP, HTTP, NNTP, FTP, TELNET, DNS, RIP , BGP, 
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MAIL, NEWS, HTML, XML, PGP, S/MIME, POP, MAP, V-CARD, ICMP, NetBUI, IPX and 
SPX. 

45. (Currently Amended) The method of claim 43, wherein the step (h) of detecting 
comprises a step of (i) accumulating a total number of occurrences for the at least one predefined 
keyword to identify the event type. 

46. (Currently Amended) The method of claim 45, wherein the step (h) of detecting 
comprises a step (j) of applying a threshold to the number of occurrences to identify the event 
type. 

47. (Currently Amended) The method of claim 39, wherein the step of b) applying at 
least the lexical engine comprises a step of k) applying the lexical engine recursively to identify 
more than one event type contained in the at least one session object. 

48. (Currently Amended) The method of claim 42, further comprising a step of i) 
extracting the at least one network event from the at least one session object according to the at 
least one of a predetermined set of event types. 

49. (Currently Amended) The method of claim 48, wherein the step (4) of extracting 
comprises a step of m) selecting at least one extractor module from a library of extractor types, 
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each of the extractor types corresponding to at least one of the at least one of a predetermined set 
of event types. 

50. (Currently Amended) The method of claim 49, further comprising a step of n) storing 
a minimum subset of the network data to reconstruct the at least one network event. 

i 

5 1 . (Currently Amended) The method of claim 50, wherein the step (a) of storing 
comprises a step e) of storing the minimum subset of the network data in a database. 

52. (Currently Amended) The method of claim 51, further comprising a step of p) 
querying the database for information related to the at least one network event. 

53 . (Currently Amended) The method of claim 28, further comprising a step q) of 
applying a port detection engine to the network data to identify the at least one network event. 

54. (Original) The method of claim 28, wherein the at least one source of network data 
comprises a plurality of sources of network data. 



